From the 25th May 2018 all organisations within the EU have had to comply with the new General Data Protection Regulations (GPDR). That’s a good thing surprisingly as our personal data will have to be handled more responsibly and with permission.
If you are not EU based, it’s still common sense so do please read on!
You’ll need a robust GPDR policy – WordPress now provides a starter template!
The church admin plugin and therefore your website holds personal data – names, address, email, phone, mobile, children and you can contact people by email and sms.
You’ll need to keep records as to how the permission was given.
You’ll need to keep it for only as long as it is operationally needed – delete it when people leave
You’ll also need to think about what other personal data you keep on paper and online and how secure it is – giving records, gift aid forms and so on.
I have needed to make some big changes to the plugin to make sure we are compliant.
Church Admin now has…
- A report pdf for a household of what data is stored (people can make a “Subject Access Request” for free from 25th May 2018)
- Communication preferences on the register screen (explicit permission for email, sms, phone and mail)
- Two way Mailchimp synchronisation
- A printable pdf form for each household explaining what data is held, confirming permissions with space for signatures of all over 16s in the household. My suggestion is that you get everyone in your church to respond to that and then file it so you are covered.
- All shortcodes/Gutenberg blocks require a login if they may display personal data. If you are not in the EU and a bit daft you can add loggedin=FALSE if you want it open.
What you need to do…
1) Make sure you have an SSL certifcate on yoursite – so it is https://your.website
2) Make sure all church admin shortcode that reveal personal data (mainly the address list) are only viewable on logged in pages – best way is to use the “Create User Accounts” button on the People tab.